/* * dnssec.c * Some DNSSEC helper function are defined here * and tracing is done * (c) 2005 NLnet Labs * * See the file LICENSE for the license * */ #include "drill.h" #include /* get rr_type from a server from a server */ ldns_rr_list * get_rr(ldns_resolver *res, ldns_rdf *zname, ldns_rr_type t, ldns_rr_class c) { /* query, retrieve, extract and return */ ldns_pkt *p; ldns_rr_list *found; p = ldns_pkt_new(); found = NULL; if (ldns_resolver_send(&p, res, zname, t, c, 0) == LDNS_STATUS_OK) { found = ldns_pkt_rr_list_by_type(p, t, LDNS_SECTION_ANY_NOQUESTION); } ldns_pkt_free(p); return found; } void drill_pkt_print(FILE *fd, ldns_resolver *r, ldns_pkt *p) { ldns_rr_list *new_nss; ldns_rr_list *hostnames; char *answerfrom_str; if (verbosity < 5) { return; } hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0); new_nss = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_NS, LDNS_SECTION_ANSWER); ldns_rr_list_print(fd, new_nss); ldns_rr_list_deep_free(new_nss); fprintf(fd, ";; Received %d bytes from %s#%d(", (int) ldns_pkt_size(p), ldns_rdf2str(ldns_pkt_answerfrom(p)), (int) ldns_resolver_port(r)); /* if we can resolve this print it, other print the ip again */ if (hostnames) { ldns_rdf_print(fd, ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0)); ldns_rr_list_deep_free(hostnames); } else { answerfrom_str = ldns_rdf2str(ldns_pkt_answerfrom(p)); if (answerfrom_str) { fprintf(fd, "%s", answerfrom_str); LDNS_FREE(answerfrom_str); } } fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p)); } void drill_pkt_print_footer(FILE *fd, ldns_resolver *r, ldns_pkt *p) { ldns_rr_list *hostnames; char *answerfrom_str; if (verbosity < 5) { return; } hostnames = ldns_get_rr_list_name_by_addr(r, ldns_pkt_answerfrom(p), 0, 0); fprintf(fd, ";; Received %d bytes from %s#%d(", (int) ldns_pkt_size(p), ldns_rdf2str(ldns_pkt_answerfrom(p)), (int) ldns_resolver_port(r)); /* if we can resolve this print it, other print the ip again */ if (hostnames) { ldns_rdf_print(fd, ldns_rr_rdf(ldns_rr_list_rr(hostnames, 0), 0)); ldns_rr_list_deep_free(hostnames); } else { answerfrom_str = ldns_rdf2str(ldns_pkt_answerfrom(p)); if (answerfrom_str) { fprintf(fd, "%s", answerfrom_str); LDNS_FREE(answerfrom_str); } } fprintf(fd, ") in %u ms\n\n", (unsigned int)ldns_pkt_querytime(p)); } /* * generic function to get some RRset from a nameserver * and possible some signatures too (that would be the day...) */ ldns_pkt_type get_dnssec_rr(ldns_pkt *p, ldns_rdf *name, ldns_rr_type t, ldns_rr_list **rrlist, ldns_rr_list **sig) { ldns_pkt_type pt = LDNS_PACKET_UNKNOWN; ldns_rr_list *sigs = NULL; size_t i; if (!p) { if (rrlist) { *rrlist = NULL; } return LDNS_PACKET_UNKNOWN; } pt = ldns_pkt_reply_type(p); if (name) { if (rrlist) { *rrlist = ldns_pkt_rr_list_by_name_and_type(p, name, t, LDNS_SECTION_ANSWER); if (!*rrlist) { *rrlist = ldns_pkt_rr_list_by_name_and_type( p, name, t, LDNS_SECTION_AUTHORITY); } } if (sig) { sigs = ldns_pkt_rr_list_by_name_and_type(p, name, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER); if (!sigs) { sigs = ldns_pkt_rr_list_by_name_and_type( p, name, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_AUTHORITY); } } } else { /* A DS-referral - get the DS records if they are there */ if (rrlist) { *rrlist = ldns_pkt_rr_list_by_type( p, t, LDNS_SECTION_AUTHORITY); } if (sig) { sigs = ldns_pkt_rr_list_by_type(p, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_AUTHORITY); } } if (sig) { *sig = ldns_rr_list_new(); for (i = 0; i < ldns_rr_list_rr_count(sigs); i++) { /* only add the sigs that cover this type */ if (t == ldns_rdf2rr_type(ldns_rr_rrsig_typecovered( ldns_rr_list_rr(sigs, i)))) { ldns_rr_list_push_rr(*sig, ldns_rr_clone( ldns_rr_list_rr( sigs, i))); } } } ldns_rr_list_deep_free(sigs); if (pt == LDNS_PACKET_NXDOMAIN || pt == LDNS_PACKET_NODATA) { return pt; } else { return LDNS_PACKET_ANSWER; } } ldns_status ldns_verify_denial(ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type, ldns_rr_list **nsec_rrs, ldns_rr_list **nsec_rr_sigs) { #ifdef HAVE_SSL uint16_t nsec_i; ldns_rr_list *nsecs; ldns_status result; if (verbosity >= 5) { printf("VERIFY DENIAL FROM:\n"); ldns_pkt_print(stdout, pkt); } result = LDNS_STATUS_CRYPTO_NO_RRSIG; /* Try to see if there are NSECS in the packet */ nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC, LDNS_SECTION_ANY_NOQUESTION); if (nsecs) { for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsecs); nsec_i++) { /* there are four options: * - name equals ownername and is covered by the type bitmap * - name equals ownername but is not covered by the type bitmap * - name falls within nsec coverage but is not equal to the owner name * - name falls outside of nsec coverage */ if (ldns_dname_compare(ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), name) == 0) { /* printf("CHECKING NSEC:\n"); ldns_rr_print(stdout, ldns_rr_list_rr(nsecs, nsec_i)); printf("DAWASEM\n"); */ if (ldns_nsec_bitmap_covers_type( ldns_nsec_get_bitmap(ldns_rr_list_rr(nsecs, nsec_i)), type)) { /* Error, according to the nsec this rrset is signed */ result = LDNS_STATUS_CRYPTO_NO_RRSIG; } else { /* ok nsec denies existence */ if (verbosity >= 3) { printf(";; Existence of data set with this type denied by NSEC\n"); } /*printf(";; Verifiably insecure.\n");*/ if (nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_OK; } } else if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, nsec_i), name)) { if (verbosity >= 3) { printf(";; Existence of data set with this name denied by NSEC\n"); } if (nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(ldns_rr_list_rr(nsecs, nsec_i)), LDNS_RR_TYPE_NSEC, nsec_rrs, nsec_rr_sigs); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_OK; } else { /* nsec has nothing to do with this data */ } } ldns_rr_list_deep_free(nsecs); } else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) { ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION); ldns_rr* q = ldns_rr_new(); ldns_rr* match = NULL; if(!sigs) { if (q) { ldns_rr_free(q); } ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_MEM_ERR; } if(!q) { ldns_rr_list_deep_free(nsecs); ldns_rr_list_deep_free(sigs); return LDNS_STATUS_MEM_ERR; } ldns_rr_set_question(q, 1); ldns_rr_set_ttl(q, 0); ldns_rr_set_owner(q, ldns_rdf_clone(name)); if(!ldns_rr_owner(q)) { ldns_rr_free(q); ldns_rr_list_deep_free(sigs); ldns_rr_list_deep_free(nsecs); return LDNS_STATUS_MEM_ERR; } ldns_rr_set_type(q, type); /* result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0); */ result = ldns_dnssec_verify_denial_nsec3_match(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0, &match); if (result == LDNS_STATUS_OK && match && nsec_rrs && nsec_rr_sigs) { (void) get_dnssec_rr(pkt, ldns_rr_owner(match), LDNS_RR_TYPE_NSEC3, nsec_rrs, nsec_rr_sigs); } ldns_rr_free(q); ldns_rr_list_deep_free(nsecs); ldns_rr_list_deep_free(sigs); } return result; #else (void)pkt; (void)name; (void)type; (void)nsec_rrs; (void)nsec_rr_sigs; return LDNS_STATUS_ERR; #endif /* HAVE_SSL */ } /* NSEC3 draft -07 */ /*return hash name match*/ ldns_rr * ldns_nsec3_exact_match(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) { uint8_t algorithm; uint32_t iterations; uint8_t salt_length; uint8_t *salt; ldns_rdf *sname = NULL, *hashed_sname = NULL; size_t nsec_i; ldns_rr *nsec; ldns_rr *result = NULL; const ldns_rr_descriptor *descriptor; ldns_rdf *zone_name = NULL; if (verbosity >= 4) { printf(";; finding exact match for "); descriptor = ldns_rr_descript(qtype); if (descriptor && descriptor->_name) { printf("%s ", descriptor->_name); } else { printf("TYPE%d ", qtype); } ldns_rdf_print(stdout, qname); printf("\n"); } if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) { if (verbosity >= 4) { printf("no qname, nsec3s or list empty\n"); } return NULL; } nsec = ldns_rr_list_rr(nsec3s, 0); algorithm = ldns_nsec3_algorithm(nsec); salt_length = ldns_nsec3_salt_length(nsec); salt = ldns_nsec3_salt_data(nsec); iterations = ldns_nsec3_iterations(nsec); if (salt == NULL) { goto done; } sname = ldns_rdf_clone(qname); if (sname == NULL) { goto done; } if (verbosity >= 4) { printf(";; owner name hashes to: "); } hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt); if (hashed_sname == NULL) { goto done; } zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec)); if (zone_name == NULL) { goto done; } if (ldns_dname_cat(hashed_sname, zone_name) != LDNS_STATUS_OK) { goto done; }; if (verbosity >= 4) { ldns_rdf_print(stdout, hashed_sname); printf("\n"); } for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) { nsec = ldns_rr_list_rr(nsec3s, nsec_i); /* check values of iterations etc! */ /* exact match? */ if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) { result = nsec; goto done; } } done: ldns_rdf_deep_free(zone_name); ldns_rdf_deep_free(sname); ldns_rdf_deep_free(hashed_sname); LDNS_FREE(salt); if (verbosity >= 4) { if (result) { printf(";; Found.\n"); } else { printf(";; Not foud.\n"); } } return result; } /*return the owner name of the closest encloser for name from the list of rrs */ /* this is NOT the hash, but the original name! */ ldns_rdf * ldns_nsec3_closest_encloser(ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s) { /* remember parameters, they must match */ uint8_t algorithm; uint32_t iterations; uint8_t salt_length; uint8_t *salt; ldns_rdf *sname = NULL, *hashed_sname = NULL, *tmp; bool flag; bool exact_match_found; bool in_range_found; ldns_rdf *zone_name = NULL; size_t nsec_i; ldns_rr *nsec; ldns_rdf *result = NULL; if (!qname || !nsec3s || ldns_rr_list_rr_count(nsec3s) < 1) { return NULL; } if (verbosity >= 4) { printf(";; finding closest encloser for type %d ", qtype); ldns_rdf_print(stdout, qname); printf("\n"); } nsec = ldns_rr_list_rr(nsec3s, 0); algorithm = ldns_nsec3_algorithm(nsec); salt_length = ldns_nsec3_salt_length(nsec); salt = ldns_nsec3_salt_data(nsec); iterations = ldns_nsec3_iterations(nsec); if (salt == NULL) { goto done; } sname = ldns_rdf_clone(qname); if (sname == NULL) { goto done; } flag = false; zone_name = ldns_dname_left_chop(ldns_rr_owner(nsec)); if (zone_name == NULL) { goto done; } /* algorithm from nsec3-07 8.3 */ while (ldns_dname_label_count(sname) > 0) { exact_match_found = false; in_range_found = false; if (verbosity >= 3) { printf(";; "); ldns_rdf_print(stdout, sname); printf(" hashes to: "); } hashed_sname = ldns_nsec3_hash_name(sname, algorithm, iterations, salt_length, salt); if (hashed_sname == NULL) { goto done; } if (ldns_dname_cat(hashed_sname, zone_name) != LDNS_STATUS_OK){ goto done; } if (verbosity >= 3) { ldns_rdf_print(stdout, hashed_sname); printf("\n"); } for (nsec_i = 0; nsec_i < ldns_rr_list_rr_count(nsec3s); nsec_i++) { nsec = ldns_rr_list_rr(nsec3s, nsec_i); /* check values of iterations etc! */ /* exact match? */ if (ldns_dname_compare(ldns_rr_owner(nsec), hashed_sname) == 0) { if (verbosity >= 4) { printf(";; exact match found\n"); } exact_match_found = true; } else if (ldns_nsec_covers_name(nsec, hashed_sname)) { if (verbosity >= 4) { printf(";; in range of an nsec\n"); } in_range_found = true; } } if (!exact_match_found && in_range_found) { flag = true; } else if (exact_match_found && flag) { result = ldns_rdf_clone(sname); } else if (exact_match_found && !flag) { // error! if (verbosity >= 4) { printf(";; the closest encloser is the same name (ie. this is an exact match, ie there is no closest encloser)\n"); } ldns_rdf_deep_free(hashed_sname); goto done; } else { flag = false; } ldns_rdf_deep_free(hashed_sname); tmp = sname; sname = ldns_dname_left_chop(sname); ldns_rdf_deep_free(tmp); if (sname == NULL) { goto done; } } done: LDNS_FREE(salt); ldns_rdf_deep_free(zone_name); ldns_rdf_deep_free(sname); if (!result) { if (verbosity >= 4) { printf(";; no closest encloser found\n"); } } /* todo checks from end of 6.2. here or in caller? */ return result; }